GP-013 Risk management
Procedure flowchart
Purpose
To describe the procedure to control and establish the risk management of our medical devices, from its conception throughout design, development, placing into the market and post-market phase (along its life cycle), to guarantee patient safety and remove or minimise risks as much as possible.
Scope
All medical devices developed by us and all processes involved in the product's life cycle.
Responsibilities
JD-001
To approve the risk management plan and procedure.
JD-004
To prepare the risk management plan and procedure in order to develop the risk management, and record the risk analysis and the risk management report.
JD-003
To request the risk management report and evaluate it together with the JD-005
the JD-004
.
JD-005
To develop and review the risk management, perform the risk analysis and evaluate the benefit/risk ratio of the risks detected.
Inputs
UNE-EN ISO 14971:2020
Regulation (EU) 2017/745 MDR
ISO/TR 24971:2020
- Preclinical and clinical data.
- Risks know and foreseeable.
- Monitoring and measurements of incidents.
- Information collected from PMS and PMCF.
Outputs
T-013-001 Risk management plan
T-013-002 Risk management record
T-013-003 Risk management report
- Risk acceptability.
- Acceptability of the benefit-risk ratio, included within the
T-013-003 Risk management report
.
Development
Risk management policy
In this section, we clarify the roles and responsibilities of our senior management and our staff in the risk management process. We also describe the context for risk management as part of the overall system of internal controls and arrangements, outlining the main principles behind the risk management framework. Furthermore, we explain how acceptable risks are determined and define our criteria for risk acceptability.
Risk acceptability criteria
With the goal of providing a framework that ensures that criteria are based upon applicable national or regional regulations and relevant international standards, and taking into account available information such as the generally acknowledged state of the art and known stakeholder concerns, we define our criteria for risk acceptability.
The risk acceptability is based on an analysis of the probability of the occurrence of the harm (P) and the severity of the harm (S) in case that the patient or user is exposed to a hazard.
Severity (S)
The severity values are calculated according to the following table:
Score | Impact | Severity of product and client | Effect |
---|---|---|---|
5 | Critical | Damage or nuisance capable of causing serious damage to the health of the user or breach of commitments or essential requirements. | Loss or degradation of primary function or death and / or non-compliance with requirements. |
4 | Serious | Harm or nuisance capable of causing severe or significant harm to the user or non-compliance with QMS capable of endangering compliance with essential and non-essential commitments or requirements. | Permanent impairment or irreversible injury and / or minor non-conformities that may lead to direct non-compliance with requirements or lack of evidence |
3 | Major | Damage or nuisance capable of causing minor or slight damage to the user or non-compliance with QMS capable of endangering compliance with non-essential requirements. | Injury or impairment requiring medical or surgical intervention and / or minor non-conformities that may lead to direct non-compliance with requirements or lack of evidence |
2 | Minor | Nuisance in the absence of danger to the user or small errors in the manufacturer's QMS that does not jeopardize compliance with requirements. | Temporary injury or impairment not requiring medical or surgical intervention and / or non-conformities of regulatory requirements |
1 | Negligible | No discernible effect or detriment to the ability to meet requirements | Inconvenience or temporary discomfort |
0 | None | None | None |
Probability (P)
The probability values are calculated according to the following table:
Score | Probablity | Meaning |
---|---|---|
5 | Frequent | It is very probable that happens. When the dangerous situation occurs, there is a possibility between >75% that it could lead to damage to the patient. |
4 | Probable | It is probable that happens. When the dangerous situation occurs, there is a possibility between >50% ≤75% that it could lead to damage to the patient. |
3 | Occasional | It is possible that happens often. When the dangerous situation occurs, there is a possibility between >10% ≤50% that it could lead to damage to the patient. |
2 | Remote | It is probable that happens some time. When the dangerous situation occurs, there is a possibility between >0,1% ≤10% that it could lead to damage to the patient. |
1 | Improbable | It not impossible that happens but exists some possibility it is that happens . When the dangerous situation occurs, there is a possibility ≤ 0,1% that it could lead to damage to the patient. |
0 | Impossible | It is impossible that happens |
When the probability of occurrence of harm cannot be estimated, the probability will be assigned in terms of detectability.
The detectability can be estimated according to the following table:
Score | Detectability | Meaning |
---|---|---|
5 | REMOTE | Detection probability <10%. Very remote chance that potential hazard will be detected |
4 | LOW | Detection probability <25%. Low chance that potential hazard will be detected |
3 | MODERATE | Detection probability <50%. Moderate chance that potential hazard will be detected |
2 | HIG | Detection probability <80%. High chance that potential hazard will be detected |
1 | ALMOST CERTAIN | Detection probability <100%. Potential hazard will almost certainly be detected |
Approach to risk control
In general terms, we pursue a strategy of reducing risk as far as possible without adversely affecting the benefit-risk ratio. This is our general approach to risk control. However, certain risks may require an approach based on reducing risk as low as reasonably practicable, or even reducing risk as low as reasonably achievable, due to the nature of the risk.
Our top management reviews the suitability of the risk management process in the management review meetings to ensure continuing effectiveness of the risk management process.
Risk acceptability
For each identified hazardous situation, we decide the risk reduction measure based on its risk level. To quantify this, we use the RPN (Risk Priority Number).
As seen in the R-TF-013-002 Risk mangement record
of every device, the risk estimation is the product of the severity multiplied by the probability, from 1 to 25. These values of probability and severity are based on technical previous experience, the state of the art and the foreseeable subjective evaluation.
As a restult, we establish three ranges of acceptability, depending on the RPN.
RPN | Acceptability |
---|---|
From 0 to 5 | Acceptable: the risk is acceptable |
From 6 to 12 | As far as possible (AFAP): only acceptable if accompanied by minimization actions. |
From 13 to 25 | Not acceptable: a benefit-risk analysis is required. |
This results in the following matrix:
PROBABILITY OF OCURRENCE | 5 | Acceptable | As far as possible | Not acceptable | Not acceptable | Not acceptable | |||||
---|---|---|---|---|---|---|---|---|---|---|---|
4 | Acceptable | As far as possible | As far as possible | Not acceptable | Not acceptable | ||||||
3 | Acceptable | As far as possible | As far as possible | As far as possible | Not acceptable | ||||||
2 | Acceptable | Acceptable | As far as possible | As far as possible | As far as possible | ||||||
1 | Acceptable | Acceptable | Acceptable | Acceptable | Acceptable | ||||||
1 | 2 | 3 | 4 | 5 | |||||||
SEVERITY OF HARM |
Evaluation and criteria for individual benefit-risk acceptability and the overall residual risk
The method to evaluate the criteria for individual benefit-risk acceptability and the overall residual risk considers the clinical benefits provided by the performance of the intended use of the medical device.
The individual residual risk acceptance follows the same criteria as the one established for the general risks, and it is indicated in the following table, and it is detailed at the corresponding R-TF-013-002 Risk management record
PROBABILITY OF OCURRENCE | FREQUENT | 5 | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | |||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
PROBABLE | 4 | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | ||||||
OCCASIONAL | 3 | Acceptable | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Not acceptable, conduct a Benefit-Risk analysis | ||||||
REMOTE | 2 | Acceptable | Acceptable | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | Consider conducting a Benefit-Risk analysis | ||||||
IMPROBABLE | 1 | Acceptable | Acceptable | Acceptable | Acceptable | Acceptable | ||||||
1 | 2 | 3 | 4 | 5 | ||||||||
NEGLIGIBLE | MINOR | MAJOR | SERIOUS | CRITICAL | ||||||||
SEVERITY |
Moreover, we use experts to support the evaluation of the overall residual risk, taking into consideration each of the individual residual risks, in relation to the benefits expected from the medical device under consideration. These experts have knowledge and experience with similar medical devices.
The global benefit-risk ratio is based on general acceptability of the product and evidenced by the R-TF-015-003 Clinical evaluation report (CER)
and periodically revised and re-validated as shown in the Clinical Evaluation Plan (R-TF-015-001 Clinical evaluation plan (CEP)
), or when new hazards are identified and they require assessment and evaluation.
A visual representation, in form of a chart, of each of the residual risks is also used, giving a graphic view of the distribution of the risks. If many of the risks are in the higher severity regions or in the higher probability regions of the risk matrix, then the distribution of the risks can indicate that the overall residual risk might not be acceptable, even if each individual risk has been judged acceptable.
The results of the evaluation of the overall residual risk are documented in the R-TF-013-002 Risk Management Record
.
Principles and governance
Our risk management approach reflects the following principles:
- Ensuring patient safety
- Addressing both value protection and value creation
- Ensuring that roles and responsibilities are explicit and clear
- Ensuring that the process for managing risk is fit for purpose
- Ensuring compliance with the applicable regulatory requirements
- Ensuring safety, performance and effectiveness of the medical device
And will be embedded in our governance structures as follows:
- Our top management is the responsible for the risk management policy and for making sure of the implementation of the policy.
- The top management is also responsible for defining a sound system of internal control that supports the achievement of policies, aims and objectives while safeguarding the public.
- If and when the corporate structure changes, the organisation will ensure that the top management continues to lead and take responsability for the commitment to risk management.
Commitment to risk management
Top management has the responsibility to establish and maintain an effective risk management process. We are commited to implementing an integrated risk management system in line with international reference standards, namely UNE-EN ISO 14971:2020
, and guided by the following principles:
- Leadership of management: our management will provide the necessary resources and ensure that the organization works in accordance with these principles.
- Integration in management processes, especially those related to strategy and planning.
- Comprehensive and harmonized management, so that all risks are managed through a common process for identification, evaluation, and treatment.
- Continuous improvement, through periodic reviews of the management framework.
General requirements for our risk management system
Risk management process
We establish, implement, document and maintain a continuous process throughout the product lifecycle to identify the hazards and hazardous situations related to the medical device, estimate and evaluate the associated risks, control these risks, and monitor the effectiveness of the risk control measures. This process must include:
- Risk analysis
- Risk evaluation
- Risk control
- Production and post-production data
The risk management process will be integrated in all the procedures established at this QMS, especially GP-004 Vigilance System
, GP-006 Non-conformities. Corrective and preventive actions
, GP-007 Post-Market Surveillance
and GP-014 Feedback and complaints
.
We develop a risk management system based on the standard UNE-EN ISO 14971:2020.
Management responsibilities
The top management of the company:
- Ensures the availability of adequate resources, including the assignment of competent personnel, for risk management.
- Defines and documents the global risk acceptability criteria mentioned in this procedure.
- Checks the adequacy of the risk management process at planned intervals to ensure continuing effectiveness of the process (
GP-002 Quality planning
). Any decisions and actions taken will be documented in theT-002-004 Management review report
.
Competence of staff
Staff involved in risk management will have sufficient experience, skills and knowledge to carry out the assigned tasks. The working team responsibilities will be documented in the corresponding T-005-001 Job description
and they also will be described at the T-013-001 Risk management plan
. Each T-013-002 Risk management record
will be edited and reviewed by the people with the greatest knowledge and experience depending on the case, in relation to their knowledge of technologies, regulatory requirements, formation and others.
It is the responsibility of the JD-001
to select the responsible of each task, which are documented in each T-013-002 Risk management record
, showing the name and signature of the responsible individuals.
Risk management plan
Risk management team
The risk management team establishes and documents a T-013-001 Risk management plan
.
To be part of the team, it is necessary to meet the following conditions:
- To have received specific training in the application of the risk management procedure according to the applicable regulations (MDR 2017/745 and ISO 14971),
- &/or deep knowledge of the product, the manufacturing or development process, the analysis and test methods used, and basic knowledge in the medical device requirements (ISO 13485).
The team performing the risk mangement must be comprised by persons with knowledge and experience of not just risk management, but also with knowledge on the medical device, technologies involved and its use.
The responsibilities are defined at the corresponding T-005-001 Job description
and the qualification for each of the components is registered in the T-005-002 Personnel card
.
Risk management plan content
The minimum essential content of the T-013-001 Risk management plan
, which will be reviewed every year, is:
- Scope: description of the risk management purpose and activities, identifying and describing the medical device and the life cycle phases.
- Terms and definitions: description of the most important concepts related to risk management.
- Assignment of responsibilities and authorities.
- Requirements for the review of the risk management activities.
- Criteria for risk acceptability.
- Evaluation and criteria for acceptability of the overall residual risk.
- Verification activities for the implementation and effectiveness of risk control measures.
- Collection and review of relevant production and post-market information.
- Planning of the risk management activities: relationship among the phases of the product's life cycle, the risk management activities and the related documentation.
The risk management process will be established in each phase of the product's life cycle, according to each step defined in this procedure.
Risk management record
The compnay establishes and maintains a Risk management record (T-013-002) according to the applicable requirements.
The T-013-003 Risk management record
considers the following types of risks:
- Requirements risks (user, technical and regulatory)
- Product risks
- Processes risks
- Infrastructure risks
- Personnel training risks
- Safety and security characteristics (according to Annex A & F of the UNE-EN ISO 24971:2019)
Each record contains, at least:
- Hazards and hazardous situations
- Type of risk
- Risk analysis (estimation):
- Foreseeable sequence of events
- Harms
- Risks
- Parts/people affected
- Potential causes/mechanisms of failure
- Initial risk evaluation
- Severity (S) and probability (P) identification
- RPN (Risk Priority Number) = S x P
- Risk control
- Control method selected option (according to UNE-EN ISO 14971:2020)
- Inherently safe design and manufacture
- Protective measures in the medical device itself or in the manufacturing process
- Information for safety and, where appropriate, training to users
- Implanted mitigation measures
- Responsible
- Implemented control measures verification
- Control method selected option (according to UNE-EN ISO 14971:2020)
- Evaluation of overall residual risk
- Severity and probability identification
- RPN (Risk Priority Number)
- Risk level, according to the cover of each
T-013-002 Risk management record
and/or the product'sT-013-001 Risk management plan
, its acceptability and risk level matrices:- Acceptable
- AFAP (“As Far As Possible”). Review required, acceptable with current risk minimization measures.
- Unacceptable
- Risk acceptability, according to cover of each
T-013-002 Risk management record
and/or the product'sT-013-001 Risk management plan
, its acceptability and risk level matrices:- Yes, acceptable
- Pending, it is required a risk minimization action
- No, unacceptable
- Risk minimization for residual risk:
- Control method selected option (according to UNE-EN ISO 14971:2020)
- Inherently safe design and manufacture
- Protective measures in the medical device itself or in the manufacturing process
- Information for safety and, where appropriate, training to users
- Control method based on the combination of some or all the previous.
- Additional control measures
- Control method selected option (according to UNE-EN ISO 14971:2020)
- Assessment of risks arising from risk control measures
- Yes
- No
- Acceptability of the individual benefit-risk ratio
The risk acceptability value for residual risks is documented in the correponding section of this procedure, and it will be based on a specific matrix where the harm probability and severity are related.
In case of having more than one product, we will identify the specific product as part of the file name. For example, for product 1 and product 2, the name of the files will be:
- TF-R-013-002_Risk Management Record_Product 1 name_YYYY_nnn
- TF-R-013-002_Risk Management Record_Product 2 name_YYYY_nnn
Currently, we only develop and manufacture a single product.
The T-013-002 Risk management records
will have a color code to identify:
- Risk level
- Risk acceptability
- Benefit-risk analysis
These colors are:
- Red color: unacceptable.
- Yellow color: AFAP (As Far As Possible), acceptable with current risk minimization measures.
- Green color: acceptable.